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Continuous Certification and 

Accreditation 



Purpose 

How can the Department of State leverage its successful Risk Scoring Program? 

NIST SP 800-37 defines how Federal C&A is to 
be accomplished 
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NIST SP 800-37 Rev. 0 



NIST SP 800-37 Rev. 1 



The previous version had 4 Steps 




A 



► Preparation 

► Notification and Resource Identification 

► System Security Plan Analysis, Update 
and Acceptance 



► Security Control Assessment 

► Security Certification 
Documentation 



► Security Accreditation Decision 

► Security Accreditation 



Documentation 



► Configuration Mgrnt. and Control 

► Security Control Monitoring 

► Status Reporting and 
Documentation 



The recently released version has 6 
steps 



Categorize 

Information System 




Risk 
Management 
Framework _ 



Assess 

Security Controls 




(jg) =NIST 600-37 Rev. 1 Steps 

Qjl =NiST 600-37 Rev. 0 MappiiiQ to Rev. 1 Steps 



NIST's model is notionally linear yet flexible in 
its application 



NIST's model is notionally linear yet flexible in its application 

Implications NIST SP 800-37 Rev. 1 



► The Risk Management Framework when 
implemented as depicted can take quarters and 
years to complete, not hours or days. 

► Federal agencies can improve security by 
exercising SPS00-37 Rev 1 's built-in flexibility 
to: 

- Guide clay-to-clay Remediation Decisions 

- Trigger reconsideration of accreditation day-to- 
day when risk levels exceed pre-defined triggers. 

"Near real-time risk management of information 
systems can be facilitated by employing automated 
supporttoois to execute various steps in the RMF 
including authorization-related activities." spsoo-37Revi 




How can we apply the NIST steps to 

- Fully comply with NIST rules, and 

- Achieve decision-making based on neai real-time monitoring? 





The Department's continuous C&A process 
adheres to NIST rules and achieves near real- 
time monitoring 
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Continuous C&A Proc ess 




System Security Plan 



The information 
captured by the 
automated continuous 
monitoring will inform 
the validation of 
Departm ent inform ation 
system security plans. 



The brain of the near 
real-time continuous 
monitoring capability 
will test controls 70 to 
300 times more often 
than required. 



Threat and situational 
analysis feeds will 
inform both the 
authorization and 
continuous monitoring 
process. 



Security Controls 
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Dashboard 
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Continuous Monitoring (6 
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Prepare 

Authorization Report 




Do Not 
Operate 



r 



Continuous 
monitoring 
enables real-time 
risk decision- 
making. 



The continuous monitoring dashboard is the 
brain of near real-time C&A 



The continuous monitoring dashboard is the 
brain of near real-time C&A 




The dashboard can 
(eventually) provide 
documentation of 
testing of all 
controls in a way 
that is timely, 
targeted, and 
prioritized. 



Continuous Monitoring Process 

NISTs steps 4 and 6 are really both abouttesting. 

- Step 4 involves testing during "certification" and 

- Step 6 involves testing during "monitoring" 
These are really the same. 



The SCAP language, provided by NSA, NIST. etc., should be used as the 
way for testing tools to communicate results to the dashboard. This 
provides many benefits including: 

- Standardized language for conducting repeatable tests, and expressing test 
results in a re-usable format. 

- Standardized re-usable content that can be borrowed from other agencies. 

- Enabled comparison of test results for measurement and risk management. 






The continuous monitoring dashboard 
offers both costs and benefits 
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Benefits 



Continuous Monitoring Process 



Costs 



► Operational managers 
know what high risk items 
need most to be fixed, and 
can easily find them. 

► Senior managers have an 
easily understood measure 
of whether security is 
adequate. 

► Risk is assessed 100-300 
times more frequently than 
with traditional FISMA 
methods. 

► Using SCAP allows easy 
communication of controls 
to sensors, and results to 
the dashboard. 

► Demonstrated potential for 
90% reductions in risk in 12 
months. 



ontinuous Monitoring 



► Initial phases can often use 
data from existing sensors 
to achieve major reductions 
in risk at low cost. 

► Where new 
dashboard/sensors are 
needed they can be funded 
with what would have been 
spent on one-time tests for 
C&A. 

► Effort to express controls in 
SCAP. (This can be 
reduced by reusing SCAP 
from the NIST/NS A library.) 

► Communications, and 
business change 
management are needed to 
achieve full impacts. 



The dashboard dynamically feeds 
the Risk Management Framework 



The dashboard dynamically feeds 
the Risk Management Framework 



Under the old model a 
significant change required 
a rec ertifi cation. But w ith 
near real-time testing going 
on, no special test 
(certification) is required - 
Thefocus becomes re- 
planning. 



Risk Management Framework 




Whenever the dashboard 
identifies issues, they 
should be evaluated to 
determine whether changes 
are needed to the SSP. 



(4) Significant Change Analysis (6 




4 Continuous Monitoring 



When the dashboard 
identifies new kinds of 
sensitive data in a system, 
that can immediately 
trigger re-categorization. 



When the dashboard 
identifies new components 
(e.g., data base links not in 
the SSP) it can be used to 
trigger human authorization 
and SSP update, if 
appropriate. 



The Security Plan 
informs the dashboard 
of what controls needs 
to be tested (These need 
to be recorded as SCAP 
tests). 



When the dashboard 
identifies controls that need 
attention, it informs 
operators to change the 
implementation to make the 
controls work. 



The system security process 
offers both costs and benefits 



The system security process 
offers both costs and benefits 



System Security Process 



Benefits 




► Control problems are found 
and fixed faster. 

► The most significant 
problems are addressed 
first. 

► Unplanned/Unannounced 
changes to data and 
controls are found sooner. 

► If the security controls are 
expressed in SCAP, rather 
than text, then automation 
can be accelerated. 



System Security Plan 

I 

A, 



Security Controls 
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Dashboard 



QQ Continuous Monitoring (Gj 




Costs 



► There is little additional 

cost beyond what was 
described earlier. 

► Communications, training, 
and business change 
management are key. 



Because of "continuous" testing, we can have 
"continuous" authorization 
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Continuous Authorization Process Wheneverthe dashboard identifies 

issues, they should be evaluated to 
determine whether changes are needed 
to theSSP 



As the system operates, the 
DAA is notified as soon as a 
trigger point is reached (but 
not before). This assures 
timely response when risk is 
too high. 



Normal operations are 
anticipated to occur 
most of the time. 




The Dashboard provides 
a "risk score" for each 
system. 



Almost all 
problems not 
caught during 
normal operations, 
should be caught 
and fixed during 
re-planning. 



The DAA (as part of initial authorization) will 
define "trigger points" (risk levels that will trigger 
a change from normal operations, to (first) re- 
planning and (second) Do not Operate Status. 




The continuous authorization process 
offers both costs and benefits 



The continuous authorization process 
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Benefits 



Continuous Authorization Process 



Costs 



► DAA rests assured that risk 
is being monitored 
frequently, and that they 
will be alerted if a trigger 
point is reached. 

► When a trigger point is 
reached, the DAA has a 
tangible and 
understandable risk 
measure (grade, rank, and 
score). 

► Most risks will be fixed 
before yellow is ever 
reached. 

► The yellow alert level 
provides time to fix 
essentially all remaining 
risks before red status is 
reached. 



i 



Dashboard 



Cost for DAA reviews 
should be reduced because 
of better summarization. 

Costs of testing and 
remediation become 
incidental daily expenses, 
rather than major periodic 
expenses. 
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The new NIST risk framework emphasizes a 
focus on all levels of risk - which adds a new 
dimension to C&A 
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The threat and situational 
analysis will send risk scoring 
adjustments to the dashboard 
to enable system owners to 
focus on the highest risks first 



Enterprise Risk Process 



Tier 1 - 
Organization 



Tier2- Mission / 
Business Process 



Tier 3- Information System 



Strategic Risk 

t 

/ 

Tacticai Risk 



Dashboard 



Threat Analysis 
looks at historical 
attacks to predict 
future events 



Situational Analysis 
looks at the current 
environment to 
enable effective 
actions 
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Prepare 

Authorization Report 



When a reauthorization is triggered, the 
threat and situational analysis will send 
narrative data about the environmental 
risk to the system owner and the DAA 
so they can direct changes in protective 
measures 



The enterprise risk process offers both costs 
and benefits 



The enterprise risk process 
offers both costs and benefits 



Benefits 



Enterprise Risk Process 



Costs 



► These inputs fine tune risk 
scores to ensure rapid 
attention to real threats by 
operational managers. 

► This is a major workforce 
multiplier. 

► The narrative provided to 
the DAA enables more 
informed risk decisions, 
based on environmental 
awareness. 

► Total risk is lowered faster. 




(V) Continuous Monitoring (6^ 



Additional tools are needed 
for these analyses, if not 
already in place. 

These tools also be funded 
from what would have been 
spent on one-time C&A 
studies. 

The cost of analysis is 
small compared to the 
leveraged impact it has on 
operational security. 




Continuous C&A Process will provide more 
effective real-time security - not just a 
snapshot in time 
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Continuous C&A Process 
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System Security Plan 
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Security Controls 
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Although there is some cost inherent in the 
Continuous C&A process, its benefits are 
significant - and cannot be ignored 



Although there is some cost inherent in the Continuous C&A 
process, its benefits are significant -and cannot be ignored 



Benefits 



Continuous C&A Process 



Costs 



► Potential to reduce risks by 
90% per year. 

► Increase frequency of 
testing by a factor of 100- 
300 to address emerging 
threats. 

► Add Environmental 
Analyses (Threat and 
Situation) to meet emerging 
requirements. 

► Enables continuous 
accreditation. 

► Spreads costs over time, 
reducing time delays. 
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Dashboard 
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► Most can be covered by 
redirecting resources that 
would have been spend on 
one-time testing. 

► Communications, training, 
and business change 
management are key. 

► Some technology for 
additional tools and 
dashboards are needed. 

► Effort to express controls in 
SCAP. 

► Achieves cost reductions in 
some areas. 



For further information on the Department of 
State's Continuous C&A Strategy, please reach 
to the following POCs 
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Points of Contact 



John Streiifert 

Chief information Security Officer 




Department of State, IRfWIA 
Artinqton. VA 22203 
Tel (703) 812-2555 
streufertj (instate .gov 



George Moore fTfegOT 

Chief Computer Scientist V i,, -7 



Department of State, iRffllA 
Artington. VA 22203 
Tel (703) 812-2203 
moorage (instate .gov 



Pete Go u I (I in an n 

WST & CNSS Liaison XSQ 
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Department of State. }RfWlA 
Artington. VA 22203 
Tel (703) 812-2201 
gQuldmannp@st3te.gQV 



